AD – Bonus Content

GOLDEN TICKET ATTACK A Golden Ticket is a forged Kerberos Ticket Granting Ticket (TGT) that allows you to impersonate any user in the domain, including Domain Admins — and it’s based on stealing the KRBTGT account’s NTLM hash. Think of the KRBTGT hash as the master key to the entire Kerberos kingdom. If you steal […]

Ultimate Active Directory Scripts for Pentesters If you want to go from low-priv to domain dominance, this is your toolkit. Below you’ll find all the major scripts used in real-world AD exploitation — with commands and inline comments to explain what they do. Active Directory Enumeration Scripts 1. PowerView 2. SharpHound / BloodHound 3. ADRecon

How to Master Active Directory Exploitation: A Practical Blueprint Active Directory (AD) isn’t just a single service — it’s an entire identity ecosystem. To become effective at exploiting it, you need to understand how the parts fit together: authentication, trust, delegation, permissions, and misconfigurations. This guide is your direct path to mastering AD exploitation. 1.

Constrained Delegation Attack Path – Full Workflow Example Goal: Start as a low-privileged domain user and escalate to a server-level administrator using Constrained Delegation abuse. Lab Environment (Fictional Setup): Component Name Domain Name intranet.offensive.local Domain Controller DC01.intranet.offensive.local Web Server WEB01.intranet.offensive.local SQL Server SQL01.intranet.offensive.local Tier 1 Admin t1_john.murphy Service Account svcWebApp Your Low-Priv User alice.reed Step-by-Step

Tools for Forging Kerberos Tickets When it comes to attacking Active Directory through Kerberos, few techniques are as powerful—or as misunderstood—as ticket forging. This post breaks down the core tools every pentester should know to manipulate, forge, and abuse Kerberos tickets during red team operations. We’ll explore how each tool fits into the picture and

BloodHound-Relevant ACE Permissions (Access Rights) Permission What It Lets You Do What You Can’t Do GenericAll Full control over the object — add/remove members, reset passwords, modify ACLs N/A — this is the highest possible permission GenericWrite Modify most properties (e.g., member, description, servicePrincipalName) Can’t edit the object’s DACL or owner WriteOwner Change the owner

Active Directory More Enumeration This post serves as a reference sheet for enumerating Active Directory (AD) environments using a combination of graphical and command-line methods. It includes usage of runas, RDP sessions, MMC (Microsoft Management Console), and the classic net command — all practical and stealthy methods to gather critical domain information. Credential Injection with

What is Kerberos? Kerberos is the default authentication protocol in modern Windows Active Directory environments. It’s like a digital passport system: The Core Players in Kerberos Let’s introduce the main characters: Role Description Client The user’s computer User You, logging in Service What you want to access (e.g., file share, SQL server) KDC (Key Distribution

Active Directory Attack Lab Walkthrough – Part 2: Golden Tickets, Silver Tickets, DCSync, and RBCD This guide builds on Part 1 and walks you through more advanced, high-impact techniques in Active Directory exploitation. These are techniques used to maintain persistence, move laterally with stealth, and access sensitive data without triggering typical defenses. Golden Ticket Attack

Realistic Active Directory Attack Lab Walkthrough: From Enumeration to Post-Exploitation This hands-on guide is designed for your BadBlood AD lab and structured like a real-world AD attack path — from discovery to domain dominance. It’s meant to be practical, repeatable, and help you develop offensive intuition. Phase 1: Enumeration – Users, Groups, and OUs Goal: